General
-
Target
78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6.bin
-
Size
3.1MB
-
Sample
210719-jctxb9m6bx
-
MD5
78d1cabb867eb5b30ccab20ae79f1760
-
SHA1
5958963ab0b43905a2d1654f6f2afa944e633186
-
SHA256
78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6
-
SHA512
43291cc257c3939fe671e270294ce210d959f78b9b4bfb042d6ab96950111e886310d0bdcf244deaad002f6003129d994262a9ba1db46cd5d0b9b62ed5d967db
Malware Config
Extracted
darkcomet
JANuary 2021
chrisle79.ddns.net:3317
jacknop79.ddns.net:3317
smath79.ddns.net:3317
whatis79.ddns.net:3317
goodgt79.ddns.net:3317
bonding79.ddns.net:3317
DC_MUTEX-X1VW1F7
-
gencode
U35l73tWGu8y
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Targets
-
-
Target
78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6.bin
-
Size
3.1MB
-
MD5
78d1cabb867eb5b30ccab20ae79f1760
-
SHA1
5958963ab0b43905a2d1654f6f2afa944e633186
-
SHA256
78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6
-
SHA512
43291cc257c3939fe671e270294ce210d959f78b9b4bfb042d6ab96950111e886310d0bdcf244deaad002f6003129d994262a9ba1db46cd5d0b9b62ed5d967db
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-